[PATCH] make samba-tool aware of all 7 fsmo roles

Rowland Penny repenny241155 at gmail.com
Wed May 20 11:48:04 MDT 2015 

On 20/05/15 18:36, Stefan (metze) Metzmacher wrote:
> Am 20.05.2015 um 18:48 schrieb Rowland Penny:
>> On 20/05/15 17:33, Stefan (metze) Metzmacher wrote:
>>> Am 20.05.2015 um 18:21 schrieb Rowland Penny:
>>>> On 20/05/15 17:06, Stefan (metze) Metzmacher wrote:
>>>>> Hi Rowland,
>>>>>
>>>>>>> Can you change the commit message to this:
>>>>>>>
>>>>>>>         samba-tool: make 'samba-tool fsmo *' aware of all 7 fsmo roles
>>>>>>>
>>>>>>>         BUG: https://bugzilla.samba.org/show_bug.cgi?id=10734
>>>>>>>
>>>>>>>         Signed-off-by: Rowland Penny <repenny241155 at gmail.com>
>>>>>> Hi Stefan,
>>>>>>
>>>>>> Done
>>>>> I don't see an updated commit message...
>>>> Ah, sorry, missed the bug line.
>>>>
>>>>>>>> @@ -58,6 +59,26 @@ def transfer_role(outf, role, samdb):
>>>>>>>>              m["becomeSchemaMaster"]= ldb.MessageElement(
>>>>>>>>                  "1", ldb.FLAG_MOD_REPLACE,
>>>>>>>>                  "becomeSchemaMaster")
>>>>>>>> +    elif role == "domaindns":
>>>>>>>> +        # this would work in the same way as the infrastructure
>>>>>>>> role
>>>>>>>> if the schema allowed it
>>>>>>>> +        # but it doesn't, so will have to sieze
>>>>>>> Can you explain this a bit?
>>>>>>> What is this different (in detail)?
>>>>>> To tranfer the main 5 roles, you just create an attribute called
>>>>>> 'become****' containing '1' in the DN that you want to transfer i.e.
>>>>>> create 'becomeRidMaster: 1' to transfer the RIDMaster role. There
>>>>>> isn't
>>>>>> a 'become****' attribute for the two dns roles (or at least I cannot
>>>>>> find them and believe me, I tried), so it seems the only way to change
>>>>>> them is to seize them.
>>>>> Wouldn't it be better to simulate the becomeROLE change behaviour?
>>>> Well possibly, but how?
>>>> Please bear in mind, until I started looking into this, python was a
>>>> very big snake to me, I am used to writing bash scripts :-)
>>> :-)
>>>
>>> I'll try to come up with fix for it.
>> Hang on, I have been doing some more investigations into this and see
>> here: https://msdn.microsoft.com/en-us/library/cc223309.aspx
>>
>> It seems that you run the transfer on the DC you want to transfer the
>> roles to, I suppose that 'becomeInfrastructureMaster' is a big clue :-)
>>
>> There are no 'becomeDomainDNSMaster' & 'becomeForestDNSMaster'
>> attributes, so, yes you could write something that sort of uses those
>> attribute names but it would boil down in the end to basically what I
>> came up with, changing the fSMORoleOwner contents, this is what
>> 'become*****' seems to do anyway i.e. it is just a shortcut!
> But becomeInfrastructureMaster doesn't change the local database,
> but instead it does a DRSUAPI_EXOP_FSMO_REQ_ROLE operation to the current
> role owner, which avoids having two owners at a time.
>
> But I can take care about that part if you want.
>
> metze
>

Ah, had second thoughts after re-reading the page I pointed you at, I 
realised that you could set a different dn, so I am seeing if I can work 
this out myself, will let you know how I get on

Rowland

More information about the samba-technical mailing list